I am starting with new Spring project where i am planning to use SSO. I have red the blogs and come to know spring security SAML will be best solution for SP.
So i have implemented Spring Security SAML sample application provided by spring site https://github.com/SpringSource/spring-security-saml as SP along with Shibboleth IDP.
IDP connects with LDAP server. I am able to execute the Spring security sample application.
I am confused how can i use this Spring security SAML extension along with multiple spring projects.
Any example link or suggestions on architecturing the Spring SAML project integration with multiple Spring MVC application will be helpful.
Provided your REST APIs are only called by the web application which is deployed together with them (in a single war and therefore sharing the same HTTP session) you can use Spring SAML + Spring Security to secure them.
Spring SAML will be used to authenticate the users against a remote IDP and populate their entitlements (granted authorities); Spring Security can then be used to define security policies for the APIs called from the UI.
In case you want to be able to call the REST APIs from remote clients, you may want to look into the Spring Security OAuth project - as this is no longer about web single sign-on.
It is possible to create a central installation of Spring SAML which handles all SSO logic. Of course you will need to implement a mechanism in which Spring SAML relays information about the authenticated user and her attributes to your other applications, and do so in a secure way. One possible way to approach it (provided the applications are deployed on the same domain and therefore can share cookies) is to:
All of this can be done with implementations to standard interfaces of Spring Security and Spring SAML. But it's not a trivial task - mainly considering that any security vulnerability in your implementation might compromise security of your applications.